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Abstract 

A circuit obfuscator is an algorithm that translates logic circuits into functionally-equivalent 
similarly-sized logic circuits that are hard to understand. While ad hoc obfuscators exist, theo- 
retical progress has mainly been limited to no-go results. In this -work, we propose a ne-w notion 
of circuit obfuscation, "which we call partial-indistinguishability. We then prove that, in contrast 
to previous definitions of obfuscation, partial-indistinguishability obfuscation can be achieved 
by a polynomial-time algorithm. Specifically, our algorithm re-compiles the given circuit using 
a gate that satisfies the relations of the braid group, and then reduces to a braid normal form. 
A variant of our obfuscation algorithm can also be applied to quantum circuits. 

1 Introduction 

Informally, an obfuscator is an algorithm that accepts a circuit as input, and outputs a hard-to- 
read but functionally equivalent circuit. (One can also discuss the related notion of obfuscating 
programs, but in this -work we focus on obfuscating circuits.) Obfuscation methods used in practice 
so far have been essentiahy ad hoc |10^ [35] , and theoretical progress has primarily been in the form 
of no-go theorems for various strong notions of obfuscation. The ability to efficiently obfuscate 
certain circuits -would have important applications in cryptography. For instance, sufficiently strong 
obfuscation of circuits of the form "encrypt with the private key" could turn a private-key encryption 
scheme into a public-key encryption scheme. As this example illustrates, one undesirable outcome 
is -when the input circuit can be recovered completely from the obfuscated circuit. In this case, 
we say that the obfuscator completely failed on that circuit |6]. Unfortunately, every obfuscator 
will completely fail on some circuits; consider a circuit which is learnable, in the sense that a 
small number of its outputs can be used to efficiently compute a description of the circuit itself. 
On the other hand, there are trivial obfuscators which will erase at least some information from 
some circuits, e.g., by removing all instances of X~^X for some invertible gate X. These kinds of 
exceptions are part of the reason why giving good definitions of obfuscation and designing good 
obfuscators appear to be difficult. 

In order to give a formal definition of obfuscation, one must decide on a reasonable definition of 
"hard-to-read." The most stringent definition in the literature demands black-box obfuscation, i.e., 
that the output circuit is computationally no more useful than a black box that computes the same 
function. Barak et al. [7] gave an explicit family of circuits that are not learnable and yet cannot 
be black-box obfuscated. They also showed that there exists a private-key encryption scheme that 
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cannot be turned into a public-key cryptosystem by obfuscation. Their results do not preclude the 
possibility of black-box obfuscation for specific families of circuits, or of applying obfuscation to 
produce public-key systems from private ones in a non-generic fashion. 

A more relaxed definition asks that different (but functionally-equivalent and similarly-sized) 
inputs to the obfuscator should lead to indistinguishable outputs. For any circuit C, let \C\ be the 
number of elementary gates, and let fc be the Boolean function that C computes. 

Definition 1. A probabilistic algorithm O is an indistinguishability obfuscator for the collection 
C of circuits if the following three conditions hold: 

1. (functionality) for every C £ C, fo(c) = fc; 

2. (polynomial slowdown) there is a polynomial p such that \0{C)\ < p{\C\) for every C £ C; 

3. (indistinguishability obfuscation) For sufficiently large input lengths, and for any Ci,C2 G C 
such that fci = fc2 o,nd \Ci\ = \C2\, the two distributions 0{Ci) and 0{C2) are indistin- 
guishable. 

In the above definition, the map O may be a probabilistic map, in which case one must choose a 
notion of indistinguishability for probability distributions. Goldwasser and Rothblum [19J consider 
three such notions: perfect (exact equality), statistical (total variation distance bounded by a 
constant), and computational (no probabilistic polynomial-time Turing Machine can distinguish 
samples with better than negligible probability.) They show that the existence of an efficient 
statistical indistinguishability obfuscator would result in a collapse of the polynomial hierarchy to 
the second level. This result also applies if the condition |Ci| = IC2I in property (3) of definition [l] 
is relaxed to |Ci| = /c|C2| for any fixed constant k [19] . 

We remark that an indistinguishability obfuscator does not immediately provide a generic 
method for turning private keys into public keys. To see this, consider a family of encryption 
circuits {E^} corresponding to private keys and suppose it is easy to recover k from the circuit 
diagram of ■ Consider the algorithm that computes the entire function table of the input circuit 
C, and outputs E/^ if the functions implemented by C and Ef. are equal. Since each E^ has different 
functionality, it's not hard to see that this algorithm is an (inefficient) indistinguishability obfus- 
cator for the family of all circuits which are equivalent to (and of similar size as) the encryption 
circuits. The "obfuscation" of E^ is just itself, and clearly cannot serve as a public key. Note that 
if this functionality can be achieved via an efficient algorithm O, then no other obfuscator O' can 
successfully hide the keys, since given 0'{Ek), one can simply compute 0{0'{Ek)) = E^. 

Another natural choice of property (3) in Definition [l] is best-possible obfuscation; in that case, 
we ask that the obfuscated circuit reveals no more information than any other circuit that computes 
the same function. Goldwasser and Rothblum [19j showed that for efficient obfuscators, indistin- 
guishability obfuscation is equivalent to best-possible obfuscation. They then proved that, in the 
limited computational model of polynomial-sized ordered binary decision diagrams (or POBDDs), 
perfect indistinguishability obfuscation is possible but black-box obfuscation is not. The key fact 
is that POBDDs have an efficiently computable normal form [9j. The obfuscator simply computes 
that normal form, perfectly satisfying property (3) in Definition [l] 

For general Boolean circuits, an efficiently computable normal form is too much to ask for, as 
deciding circuit equivalence is coNP-hard. Our approach is to instead pursue a notion of "partial" 
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normal form. In partial-indistinguishability obfuscation, we relax condition (3) so that it need only 
hold for Ci and C2 that are related by some fixed, finite set of relations on the underlying gate set[^ 

Definition 2. Let G be a set of gates and T a set of relations satisfied by the elements of G. A 
probabilistic algorithm O is a (G, r)-indistinguishability obfuscator for the collection C of circuits 
over G if the following three conditions hold: 

1. (functionality) for every C £C, fc = fo(C); 

2. (polynomial slowdown) there is a polynomial p such that for every C ^ C, ra^^c") < p{nc) and 
\0{C)\<p{\C\); 

3. ((G ,T )-indistinguishability obfuscation) For any Gi,C2 € C that differ only by a sequence of 
applications of the relations in T, the two distributions 0{Ci) and 0(6*2) o^^e indistinguishable. 

The power of the obfuscation is then determined by the power of the relations T. If F is a com- 
plete set of relations, generating all circuit equivalences over G, then a (G, r)-indistinguishability 
obfuscator is essentially a perfect indistinguishability obfuscator, as defined in [T9j. (Complete 
sets of relations for {Toffoli} and {AND, OR, NOT} are given in |24| I23j.) In the other extreme, 
if r is the empty set then a (G, r)-obfuscator does not hide a circuit at all; any two circuits 
are mapped to distinguishable distributions. With different sets of relations, one can interpolate 
between these extremes. The intermediate obfuscators form a partially ordered set, where a (G, T')- 
indistinguishability obfuscator is strictly stronger than a (G, r)-indistinguishability obfuscator if V 
is a strict superset of T. 

In this paper, we propose an efficient obfuscator for reversible circuits, where the gate set comes 
from computationally universal representations of the braid group, and the relations are the braid 
relations. Specifically, in what follows, B accepts a circuit input and outputs the corresponding 
braid, C accepts a braid input and outputs the corresponding circuit, and N accepts a braid input 
and computes the normal form braid. The underlying representation is the quantum double of A^, 
as discussed in section [4} Our obfuscation algorithm is simply 

Algorithm 1. 

1. input: a circuit G on n dits 

2. output: The circuit C(N(B(G))). 

Our scheme is thus similar in spirit to previously-proposed obfuscation schemes based on applying 
local circuit identities |35], but the uniqueness of normal forms adds a qualitatively new feature. 
In our algorithm, each gate is simulated with a constant-size braid, and each braid crossing is 
simulated with a constant-size circuit; these algorithms are described in Section |4j Computing the 
normal form takes time 0(/^m log m) for m-strand braids of length l; the relevant background in 
braid groups and their normal forms is given in Section [2} Putting these ingredients together, we 
see that the overall time complexity of Algorithm 1 is 0(|G|^nlogn). 

In Section [5| we describe how a variant of our scheme can also be used to obfuscate quantum 
circuits. The key (well-known) fact is that there are representations of the braid group which 
are universal for quantum computation. The quantum obfuscator has time complexity 0(|Gpn • 
polylog(n, 1/e)) if one wishes to achieve functional equivalence to precision e. 

^Our construction for satisfying this definition uses reversible gates. The definition of functional equivalence 
becomes more technical that context, as discussed in section [31 
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Figure 1: The generator cTj represents the (clockwise) crossing of strands i and i + 1 connecting a 
bottom row of "pegs" to a top row. Multiplication of group elements corresponds to composition 
of braids. As an example, we show the 3-strand braid a^^a2 (left), and the same braid composed 
with its inverse cr^^o"! (middle), which is equivalent to the identity element of (right). 



2 Braid groups 

The braid group B„ is the infinite discrete group with generators o"i, . . . ,cr„_i and relations 

(TjCJj = cjjfTj V |i — j'l > 2 

CiCTj+lCJi = CTj+lCTjCTi+l V i. 



(1) 



The group Bn is thus the set of all words in the alphabet {ai, . . . , cr„_i, erf ^, . . . , cj^:';^}, up to 
equivalence determined by the above relations. In 1925 Artin proved that the abstract group 
defined above precisely captures the topological equivalence of braided strings [5] , as illustrated in 
Fig. [TJ A charming exposition of this subject can be found in |27j . 

In the word problem on Bn, we are given words w and z, and our goal is to determine if they 
are equal as elements of Bn- One solution is to put both w and z into a normal form, and then 
check if they are equal as words. For our purposes, it is enough to describe the normal form and 
specify the complexity of the algorithm for computing it. The details of the algorithm, along with 
a thorough and accessible presentation of the relevant facts about braids, can be found in [13j. 

We first observe that the word problem is easily decidable if we restrict our attention to an 
important subset of Bn- Note that the presentation (!]) can also be viewed as a presentation of a 
monoid, which we denote by B^- The elements of B^ are called positive braids, and are words in 
the generators ai only (no inverses), up to equivalence determined by the relations in ([T]). Since 
all the relations of Bn preserve word length, and there are only finitely many words of any given 
length, we can decide the word problem (albeit very inefficiently) simply by trying all possible 
combinations of the relations. 

Building upon this, one can give an (inefficient) algorithm for the word problem on Bn itself [20j. 
First, given two elements a, 6 of Bn , we write a =^ 6 if there exists z E Bn such that b = az; in 
this case we say that a is a left divisor of b. Similarly, we write a 6 if there exists y £ B^ such 
that b = ya; in this case we say that a is a right divisoi^oi b- The center of Bn is the cyclic group 
generated by A^, where 

An ■-= A„_iCr.„_i(Trt_2 • • • (Ti G 5+ 



^The terminology is not accidental; it turns out that we can also define l.c.m.s and g.c.d.s in , and that Bn is 
the group of fractions of B^ . These facts are some of the achievements of Garside theory [18j . 
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(see p. 30 of [2^ for a simple proof). Geometrically, A„ implements a twist by vr in the z-plane 
as the strands move from z = to z = 1. One can show that ai ^ for all i, i.e. there exists 
Xi G i3+ such that = XjA"^. Given a word ij; in the and their inverses, we first replace 
the leftmost instance of an inverse generator (say it is cr^^) with XiA~^. We then insert A~^A,i 
in front of Xi, and observe that conjugating a positive braid x by A„ results in another positive 
braid (specifically, the rotation of x by tt in the z-plane). In this way, we can push A~^ all the 
way to the left. We repeat this process for each inverse generator appearing in the word, resulting 
in a word of the form Anb where p G Z and b G B^. Since we can solve the word problem in B^, 
we can factor out the maximal power of A„ appearing as a left divisor of b. We thus have that, as 
elements of the braid group, w = An b' with A„ not a left divisor of b' and p' unique. This solves 
the word problem in i?„. 

We can make the above algorithm efficient by finding an efficiently computable normal form for 
a positive braid word b that does not have A„ as a left divisor. Recall that the symmetric group 
Sn has a remarkably similar presentation to Bn- Indeed, starting with ([T]), letting ai = {i i + 1) 
and adding the relations af = 1 for all i results in the standard presentation of Sn- In other words, 
there is a surjective homomorphism vr : Bn — )• Sn with cTj i— >• (z i + 1). In terms of the geometric 
interpretation, a braid is mapped to the permutation on [n] defined by the connections between the 
top and bottom "pegs," as in Figure [T] For each a £ Sn, there is a unique preimage of a that can 
be drawn so that any given pair of strands cross only in the positive direction, and at most once. 
We call such braids simple braids, and they form a subset of B:^ of size nl. 

Definition 3. p. 4 of [T3]. 

1. A sequence of simple braids {si, . . . , Sp) is said to be normal if, for each j, every ai that is a 
left divisor of Sj+i is a right divisor of sj . 

2. A sequence of permutations (/i, . . . , fp) is said to be normal if, for each j , fj^i{i) > /^^^(i+l) 
implies fj{i) > fj{i + 1). 

A sequence of simple braids {si, . . . , Sp) is normal if and only if the sequence of permutations 
(7r(si), . . . ,7r(sp)) is normal. Given a permutation / G Sn, let / denote the simple braid of Bn 
satisfying 7r(/) = /. 

Theorem 1. p.4 of [13] and Ch.9 of [H]. 

1. Every braid z in Bn admits a unique decomposition of the form A^si . . . Sp with m G Z and 
(si, . . . , Sp) a normal sequence of simple braids satisfying si ^ A„ and Sp ^ 1. 

2. Every braid z in Bn admits a unique decomposition of the form A™/i . . . fp with m G Z and 
ifi, ■ ■ ■ , fp) 0- normal sequence of permutations satisfying fi ^ 7r(A„) and fp ^ 1. 

The most efficient algorithms for computing the normal form of a word w in the generators of Bn 
have complexity 0{\w\'^nlogn) [T3] . 

3 Reversible Circuits 

The partial-indistinguishability obfuscator given in section |4] uses a gate R satisfying the relations 
of the braid group. Because group elements are invertible, R must be a reversible gate, that is, 
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it must bijectively map its possible inputs to its possible outputs. For example, a NOT gate is 
reversible, but an AND gate is not. In general, a reversible circuit need not act on bits, but can 
act on d-state dits. For bijectivity, the number of output dits must equal the number of input dits. 
A circuit composed entirely of reversible gates is called a reversible circuit. For more background 
on reversible computation see [8l HH |32] . 

Because reversible circuits cannot erase any information, they operate using ancillary dits ( "an- 
cillas" ) to store unerasable data left over from intermediate steps in the computation. A reversible 
circuit evaluating a function / : {0, . . . ,d— 1}" — >• {0, . . . ,d — 1}"* thus operates on r > max(n, m) 
dits, where r — n of the input dits are work dits to be initialized to some fixed value independent of 
the problem instance, and r — m of the output dits contain unerasable leftover data, to be ignored. 
Efhcient procedures are known for compiling arbitrary logic circuits into reversible form [U [16] . 

In definition [T] of perfect indistinguishability obfuscation, the notion of functional equivalence 
is used twice. First, the original circuit C must be functionally equivalent to the obfuscated circuit 
0{C). Second, if Ci and C2 are functionally equivalent then 0{Ci) must be indistinguishable from 
0(02) ■ In partial-indistinguishability obfuscation, the second usage of functional equivalence is 
superseded by the set of relations F. 

In adapting definitions [T] and [2] to reversible circuits, one is faced with two natural choices for the 
notion of functional equivalence. One may either demand that the original and obfuscated circuits 
implement the same function / : {0, 1}" — )• {0, 1}™, ignoring the ancilla dits {weak equivalence), 
or demand that they implement the same transformation on the entire set of r dits, including the 
ancillas (strong equivalence). 

The construction given in this section satisfies partial-indistinguishability obfuscation so that 
the obfuscated circuit is strongly equivalent to the original circuit. Strong equivalence implies weak 
equivalence, so our construction proves that both possible definitions of partial-indistinguishability 
are polynomial-time achievable when F is the set of relations of the braid group. 

One is left with a natural question: is perfect indistinguishability obfuscation of reversible 
circuits possible if we only demand that 0{Ci) = 0{C2) when Ci is strongly equivalent to C2? 
In the case of ordinary irreversible circuits, we argued that perfect polynomial-time deterministic 
indistinguishability obfuscation is impossible (assuming P 7^ NP) because circuit equivalence is 
coNP-complete. As shown in |26| . strong equivalence of reversible circuits remains coNP-complete 
for standard reversible gate sets. Thus, assuming P 7^ NP, deterministic indistinguishability obfus- 
cation of reversible circuits cannot be achieved in polynomial time even if one only demands that 
strongly equivalent circuits have indistinguishable obfuscations. 



4 Classical Computation with braids 

In this section, we present a reversible gate R on pairs of 60-state dits that can perform universal 
computation and obeys the relations of the braid group. The universality construction for this 
gate comes from the quantum computation literature [281 1331 [30] , but we present it here in purely 
classical language to make it accessible to a broader audience. 

Suppose we arrange n dits on a line, and allow R to act only on neighboring dits. Further, we 
do not allow R to be applied "upside-down" . Then, there are n — 1 choices for how to apply R. 
We label these Ri, R2, ■ ■ ■ , Rn-i, as illustrated in Figure [2] Each of . . . , Rn~i corresponds to a 

X permutation matrix. Specifically, Rj is obtained by taking the tensor product of R with 

identity matrices according to Rj = l^^d ^ -"-dxd 
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Ri 



R3 



R2 



Figure 2: An example of a reversible circuit constructed from a single gate R. As a product of 
matrices, we write this R2R3R1, in keeping with the convention [32j that circuit diagrams are to 
be read left-to-right, whereas the matrix product acts right-to- left. Note that in subsequent circuit 
diagrams we drop the subscripts from the R gates as these can be read off from the "wires" the 
gates act on. 



Ri, . . . , Rn~i generate a subgroup of Sd^- Among others, these generators obey the relations 



If R satisfies 
then 



RiRj = RjRi \/\i-j\>2. 
R1R2R1 = R2R1R2 

RiRi+lRi = Ri+lRiRi+1 Vi 



(2) 

(3) 
(4) 



and in this case the gates Ri, . . . ,Rn-i satisfy all the relations of the braid group Bn- In other 
words, the map defined by fjj >—?■ Ri and >—?• R~^ is a homomorphism from Bn to S^n, i.e. a 
representation of the braid group. Note that this representation is never faithful as Bn is infinite. 

The condition [s] is known as the Yang-Baxter equatiorj^ Finding all the matrices satisfying 
the Yang-Baxter equation at a given dimension has only been achieved at d = 2 |22j. However, 
certain systematic constructions coming from mathematical physics can produce infinite families of 
solutions. In particular, let G be any finite group, and let R be the permutation on the set G x G 
defined by 

R{a,b) = {b,b-^ab). (5) 

By direct calculation one sees that any such an R satisfies the Yang-Baxter equation. (In physics 
language, R comes from the braiding statistics of the magnetic fluxes in the quantum double of G.) 

In 1997, Kitaev discovered that choosing G to be the symmetric group 5*5 yields an R gate suf- 
ficient to perform universal reversible computation [28]. Ogburn and Preskill subsequently showed 
that the alternating group A5, which is half as large as ^5, is already sufficient. The universality 
construction for was subsequently presented in greater detail and generalized to all non-solvable 
groups by Mochon [30]. In the remainder of this section we give a self-contained exposition of the 
universality construction from |30j . shorn of physics language. 

To obtain a representation of the braid group, we must strictly enforce the requirement that 
application of R to neighboring dits on a line is the only allowed operation. In particular, we are 
not given as elementary operations the ability to apply R upside-down, or to non-neighboring dits, 

^Actually, two slightly different equations go by the name Yang-Baxter in the literature. Careful sources distinguish 
these as the algebraic Yang-Baxter equation and the braided Yang-Baxter relation (which is sometimes called the 
quantum Yang-Baxter equation). Equation [3] is the latter. Furthermore, some sources treat a more complicated 
version of the Yang-Baxter equation in which R depends on a continuous parameter. In such works equation [3] is 
often referred to as the constant Yang-Baxter equation. 
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or to move dits around. Thus, to prove computational universality, it is helpful to first construct 
a SWAP gate from R gates, which exchanges neighboring dits. As is well-known, the n — 1 swaps 
of nearest neighbors on a line generate the full group Sn of permutations, and thus a SWAP gate 
enables application of R to any pair of dits. 

For R gates of the form two pairs of inverse group elements in the order a,a~^ ,b,b~^ can 
be swapped by applying the product i?2^3-Ri-R2- Thus, in the construction of [331(30], elements of 
A5 are always paired with their inverses. This can be regarded as a form of encoding; 1^5!= 60, so 
each 60-state dit is encoded by a corresponding pair of elements of A^. We introduce the notation 
g= {g,g^^) for this encoding, and similarly, abbreviate the encoded swap operation as follows. 



a 
b 



S 



b 
a 



a 
b 



R 



R 



R 



R 



b 
a 



a 



-1 



Similarly, the sequence R2R3R3R2 performs the transformation (a, 6) 1— >• {a, aba ^) on a pair of 
encoded dits. We abbreviate this in circuit diagrams as follows. 



a 
b 



C 



a 
b 

6-1 



R 



R 



R 



R 



a 

aba~ 
ab-^ 



a 
b 



C 



-1 



a 
b 

6-1 



R- 



R- 



R- 



R- 



a 

a^^ba 
a-^b-^a 



This notation can easily be extended to provide a shorthand for the sequence of gates needed to 
implement a C gate between non-neighboring pairs of bits, as illustrated by the following examples. 



1 


1 






— c 


-1 
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c 
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s 



s 



c 




s 




T 




s 










c 







Next, consider the following product of elements of (which should be read right-to- left). 

f {91,92) = (521)51(14352)52(124)51-1(15342)52-1(521) (6) 
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One sees that 



/((345),(345)) 
/((345),(435)) 
/((435),(345)) 
/((435),(435)) 



1 
1 
1 

(12)(34) 



where 1 denotes the identity permutation. Furthermore, conjugating (345) by (12) (34) yields 
(435), and conversely, conjugating (435) by (12) (34) yields (345). Thus, we may think of (345) as 
an encoded zero and (435) as an encoded one, and we see that 



f (91,92) go f {91,92) 



(7) 



toggles go between one and zero if gi and 32 are both encoded ones and leaves go unchanged 
otherwise. Such a doubly-controlled toggling operation is known as a Toffoli gate, which is well- 
known to be a computationally universal reversible gate [16| . 

As a circuit diagram, this construction can be expressed as follows. 




90 
91 

92 




— c — c-^ — c — c-^ — c-c — c-c — c — 




1 




• 


( 


1 


1 

1 


1 



9'o 



91 

92 



Here, if 50 j 91,92 encode bits 60, ^2 then g^ encodes 60 ® 61 A 62- The four ancillary dits (14352), 

(15342), (124), and (521), are used to "catalytically" facilitate the construction of a Toffoli gate, 
and thus computations built from arbitrarily many Toffoli gates can be performed with only one 
copy of these four dits. 

Unpacking the various shorthand notations, one sees that the above circuit represents the 
following braid of 132 crossings on 14 strands. 



(Tscrgcrgcrs 
f 2<730"1(T2 

<7l0O"llO-9(Tl0 
(T6(J7C75(T6 

(TSCTgfTgCrs 

fioo-iio-go'lo 

f78<Tg(Tg(T8 



<7lO<7llCr9(Tio 
(T4(T5(T3(T4 

O"10<7llO'llO"10 

crgCrgCrgCTs 

O'lO'^iiCrgcrio 

f^fo^ 



0"loCrilC7ii(Tio 
O'lOO'llC^gO'lO 

fioTiicrgdio 



fioCTiiCgCTio 
agcrgagas 

'7l20"l3<TllCri2 
<7120"130-11<712 

<7locril<7gcrio 

<7l2a"l3<7llCri2 
0'120-130"110'12 



Note that we take the convention that this should be read backwards compared to the way one reads 
English text. This is in keeping with the conventional notation for the composition of functions 
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and our right-to-left multiplication of R matrices. We have used whitespace to divide crossings into 
groups of four as these correspond to elementary S and R gates. 

Given this construction of the Toffoli gate by braid crossings, it is a simple matter to "compile" 
any given logic circuit into a corresponding braid. There are 3600 pairs of elements of A5. Thus, 
encoding a single bit into a pair of elements appears somewhat wasteful. We do not know 
the smallest dimension of a permutation matrix satisfying the Yang-Baxter equation that acts as 
a universal reversible gate, but we have proven by exhaustive computer search that it is at least 
25 X 25. 



5 Quantum circuits 

5.1 Obfuscating quantum circuits with braids 

While the state of knowledge about classical obfuscation is limited, essentially nothing is known 
about the quantum case. Here we briefly discuss how to construct an obfuscator for quantum 
circuits, analogously to the classical obfuscator defined by Algorithm 1. 

In section |4j we discussed classical universality of circuits encoded as braids. It turns out that 
an analogous theory can be developed for quantum circuits, and is well-understood. The family of 
so-called Fibonacci representations of the braid groups have dense image in the unitary group, and 
there are efficient classical algorithms for translating any quantum circuit into a braid (and vice- 
versa) in a way that preserves unitary functionality [T7| . Approachable descriptions of the Fibonacci 
representation are given in \34:\ I36| . In |34| . what we call the "Fibonacci representation" here, is 



(n) 

called the "★★" irreducible sub-representation. This is a family of representations pp^(^ : Bn — ?■ 
U{Fn-4), where is the k-th Fibonacci number. For our application, the essential properties 
of the Fibonacci representation are locality and local density. These two properties mean that, 
under a certain qubit encoding, braid generators correspond to local unitaries, and local unitaries 
correspond to short braid words. Standard arguments from quantum computation tell us that 
we can achieve the latter to precision e with 0(log^ '^^(l/e)) braid generators by means of the 
Solovay-Kitaev algorithm [12] . 

(n) 

A natural basis for the space of ppj^ can be identified with strings of length n from the alphabet 
{*,p}, which begin with end with p, and do not contain substring Following [2j^ 

for n a multiple of four, we identify a particular subspace Vn of p^p^ by discarding some basis 
elements, as follows. Partition a string s into substrings of length four. If each of these substrings 
is equal to either -kp-kp (this will encode a 0) or -kppp (this will encode a 1), then the basis element 
corresponding to s is in Vn] otherwise, it is not. Note that dimT^ = 2"/^. The following theorem 
follows from [21 [l2]. 

Theorem 2. There is a classical algorithm which, given an (n/ 4:) -qubit quantum circuit C and 
e > 0, outputs a braid b G Bn of length 0{\C\ log^'''"^(l/e)) satisfying 



< e 



*In |34) the ★* subrepresentation of Bn acts on strings of length n + 1 that begin and end with *. One can leave 
the initial and/or final ★ implicit as these are left unchanged by all braiding operations. We omit the final * leaving 
us strings of length n that begin with * and end with p. 

^Reference [5j describes the basis vectors in terms of "paths". The correspondence between the path notation and 
the p-k notation is given in appendix C of [34| . 
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this algorithm has complexity 0{\b\). 



For the opposite direction, we can identify a subspace Wn C (C2)'^'^ by discarding all bitstrings 
except those that start with 0, end with 1 and do not have "00" as a substring. Then dimW^ = 

(n) 

dim /9pj|^ and we have the following. 

Theorem 3. There is a classical algorithm which, given b G i?„ and e > 0, outputs a quantum 
circuit C on n qubits of length 0{\b\ log^'^"'^(l/e)) such that 



Clw^-p'Flib) 



< e 



this algorithm has complexity 0{\C\). 



The two algorithms in the above theorems are described explicitly in [2] . With these algorithms in 
hand, we can apply Algorithm [T] directly to quantum circuits. For an input circuit C on n qubits, 
the running time of the algorithm is 0(|Cpn • polylog(n, 1/e)). The length of the output cannot 
be longer than the running time. We are not aware of a better upper bound for the length of the 
output. 

Note that reduction of quantum circuits to a normal form using a complete set of gate relations 
should not be possible in polynomial time, because this would yield a polynomial-time algorithm 
for deciding whether a quantum circuit is equivalent to the identity, which is a coQMA-complete 
problem |25j . 

In light of theorem[2| {pFib(f i)) ■ ■ ■ : PFihi^^n-i)} may be regarded as a universal set of elementary 
quantum gates. A word in the Artin generators of -B„ then corresponds to a circuit in this gate set. 
The "gates" {/OFib(ci)) • • • j PFib(cn-i)} differ from conventional quantum gates in that they do not 
possess locality defined in terms of a strict tensor product structure. Nevertheless, the algorithm for 
computing the braid normal form satisfies the definition of partial-indistinguishability obfuscation 
for circuits composed from the gates {/OFib(o"i), . . . , /0Fib(o■n-l)}• 



5.2 Testing claimed quantum computers with a quantum obfuscator 

It is natural to consider quantum analogues of the applications of obfuscation from classical com- 
puter science. We suggest a potential application of quantum circuit obfuscation that does not fit 
this mold: testing claimed quantum computers. Suppose Bob claims to have access to a universal 
quantum computer with some fixed finite number of qubits. Alice has access to a classical computer 
only, as well as a classical communication channel with Bob. Can Alice determine if Bob is telling 
the truth? Barring tremendous advances in complexity theory, a provably correct test is unlikel}]^ 
can we still design a test in which we have a high degree of confidence? Given the extensive work on 
classical algorithms for factoring, a reasonable idea is to simply ask Bob to factor a sufficiently large 
RSA number. However, Shor's algorithm only begins to outperform the best classical algorithms 
when thousands of logical qubits can be employed. A much smaller universal quantum computer 
(e.g., a few dozen qubits) is likely to be a far simpler engineering challenge and could still be quite 
useful, e.g., for simulating certain quantum systems. A test that works in this case would thus 

^Notice that even a proof that BQP 7^ BPP would be insufficient; one would have to find specific problems and 
instance sizes where some quantum strategy provably beats every classical one. We are thus left with a situation 
analogous to the practical security guarantees of modern cryptographic systems, which tell us how many bit operations 
it would take to crack a given instance using the fastest known algorithms. 
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be very valuable. We now outline a new proposal for such a test. Simply put, we propose asking 
questions that are classically easy to answer, but posing them in an obfuscated manner. In this 
test, Alice would repeatedly generate quantum circuits and ask Bob to run them. At least some 
of the circuits would in fact be quantumly-obfuscated classical reversible circuits, allowing Alice to 
easily check the answers. 

We have considerable freedom when designing such a test. How to choose these parameters 
in a way that makes the test difficult to fool with a classical computer is an open question. For 
purposes of illustration, we give one example. Let O be the obfuscation algorithm for quantum 
circuits described above. 

Algorithm 2. 

1. Select a random bitstring s of length k. 

2. Let C be the {k + l)-bit circuit that, on all-zero input, initializes wires 2 through A: + 1 to s 
and then computes the parity of s into the first wire. 

3. Compute 0{C), and let n be the number of qubits needed to run 0{C). 

4. Ask Bob to run D on the all zeros string and return the first bit of output. 

Clearly, k must be chosen so that n is smaller than the number of logical qubits Bob claims to 
control. To fool Alice, a purely classical Bob must determine the parity of s. The dictionary attack 
(i.e. Bob repeatedly guesses at k, obfuscates the corresponding circuit, and compares the result to 
the circuit given by Alice) is of no use provided k is reasonably large, e.g., 80 bits, which can be 
encoded using a braid of 115 strands using the Zeckendorf encoding described in [3l] . 

We now show that there can be no efficient general-purpose algorithm for breaking our test by 
detecting whether a given quantum circuit is in fact (almost) classical, and if so, simulating it. 

Definition 4. Let c be a bit string specifying a quantum circuit via a standard universal set Q of 
quantum gates, and let Uc be the corresponding unitary operator. Fix some constants r,d,a G N, 
and fix a set R of reversible gates. The problem CLASS(r, d, a, Q, R) is to find a reversible circuit of 
at most r\c\'^ gates from R such that the corresponding permutation matrix P satisfies \\Uc — P\\ < 

2-a\c\ _ 

Note that CLASS (r, d,a,Q, R) is not a decision problem. Thus, to formulate the question of whether 
this problem can be efficiently solved, we must ask not whether CLASS{r,d,a,Q, R) is contained 
in P but whether it is contained in FP. We now provide some formal evidence that this is not the 
case. Note that the following theorems continue to hold if we change the classicality condition in 

gto \\Uc-p\\ < ici'". 

Theorem 4. For any fixed r,d,a G N, any universal reversible gate set R, and any universal 
quantum gate set Q, if CLASS{r,d,a,Q,R) £ FP then QCMA C P^p. 

Note that, QCMA C P^^ would be very surprising because, among other things, it would imply 
BQP C PH, and there is evidence that this is false [U I15j . 

Proof. The standard QCMA-complete language C is as follows. Let C be the set of all quantum 
circuits (expressed as a concatenation of bitstrings that index elements of the gate set Q). C 
decomposes as the disjoint union of £ and C where C consists of the quantum circuits that accept 
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at least one classical {i.e. computational basis state) input, and C consists of the circuits that 
reject all inputs. Given a quantum circuit Vi £ C, (the "verifier") we can amplify it using standard 
techniques ^291 131] to accept YES instances with probability at least 1 — 0(2~") and accept NO 
instances with probability at most 0(2~"'). Let V2 be such an amplified verifier. Further, let 



V2 



where the second-to-top qubit is the acceptance qubit of V2. If Vi £ C then IIV3 — 1|| = 0(2~"). 
By assumption, there exists a polynomial time classical algorithm for solving CLASS(r, d, a, Q, R). 
When presented with V3 , this algorithm will produce a polynomial-size reversible circuit V4 strongly 
equivalent to the identity. By querying an oracle for the problem of strong equivalence of reversible 
circuits, one can decide whether V4 is equivalent to the circuit of no gates, and hence to the identity 
operation. If Vi G C, this oracle will accept. liVi £ C then the algorithm for problem 1 will answer 
NO or produce a circuit that this oracle rejects. As shown in [26j, the problem of deciding strong 
equivalence of reversible circuits is contained in coNP. Thus, we can decide QCMA in P™np^ which 
is equal to the more familiar complexity class P^^. □ 



6 Future work 

6.1 Dictionary attacks 

The partial-indistinguishability obfuscator described in the preceding sections deterministically 
maps input circuits to obfuscated circuits. This creates a potential weakness in the obfuscation. 
Suppose Alice wishes to run a computation C on Bob's server but does not wish Bob to know what 
computation she is running. Thus, she sends the obfuscated circuit 0{C) to Bob, who executes it, 
and returns the result. Alice may hardcode the input to the circuit, and append a one-time pad 
encryption to the output, so that Bob learns nothing of C, the input, or the output. However, if 
Bob knows that the circuits Alice is likely to want to execute are drawn from some small set S, then 
Bob can simply compute {©(s)!^ € S} and identify Alice's computation by finding it in this list. 
Such attacks are sometimes called "dictionary" attacks after the practice of recovering passwords 
by feeding all words from a dictionary into the hash function and comparing against the hashed 
password. 

Dictionary attacks may or may not be a serious threat to our obfuscation scheme, depending 
on the the size of the set of likely circuits to be obfuscated. In cryptographic applications where 
dictionary attacks are a concern, the standard way to protect against them is to append random 
bits prior to encryption. (In the context of hashing passwords, this practice is called "salting".) 
Such a strategy can be applied to our obfuscator, but some care must be taken in doing so. The 
most obvious strategy is to append a random circuit on the output ancillas prior to obfuscation. 
However, attackers can defeat this countermeasure by using the polynomial-time algorithms for 
computing left-greatest-common-divisors in the braid group [T^. However, prior to obfuscation, 
one may introduce extra dits, and apply random circuits before, after, and simultaneously with 
the computation, in a way so as not to disrupt it. The problem of optimizing the details of this 
procedure so as to maximize security and efficiency is left to future work. 
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6.2 Classical and quantum universality 

It is of interest to consider other computationally universal representations of the braid group, 
which might provide more efficient translations from circuits to braids. One avenue for obtaining 
such representations is by finding other solutions to the Yang-Baxter equation, besides the operator 
R from Section |4j Our investigations so far prove that no permutation matrix solution of dimension 
up to 16 X 16 is a universal gate and suggest that no permutation matrix solution of dimension 
25 X 25 is a universal gate. In the quantum case, it has been shown that no 4 x 4 unitary solution 
is universal [3j. 

More generally, one may look for other finitely-generated groups with computationally universal 
representations and efficiently computable normal forms. One potential candidate family are the 
mapping class groups MCG(Sg) of unpunctured surfaces of genus g. These groups also have 
quantumly universal representations f3] and an efficiently solvable word problem |21j . It is not 
known if there are also classically universal permutation representations, or if there are efficiently 
computable normal forms. 

6.3 Expanding the set of indistinguishability relations 

By [26], achieving efficient indistinguishability obfuscation for the complete set of relations of a 
universal gate set is unlikely. However, it is possible that partial-indistinguishability obfuscation 
on R gates could be achieved with a larger set of relations than the braid relations. For example, 
the universal reversible gate described in section |4] has order 60. If we add the relations af^ = 1 
for i = 1,2, ... ,n — 1 to Bn, we obtain a "truncated" (but still infinite for large n [11]) factor of 
the braid group. If a normal form can still be computed in polynomial time for this group then 
one could construct an efficient obfuscator using the relations of this truncated group, which would 
be strictly stronger than our braid group obfuscator. This approach also provides motivation for 
finding a complete set of relations for the gate R. 
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